How to Deploy SSL Certificates on Nginx

nginx ssl certificatedeploy ssl certificatenginx configurationhttps setupfirewall 443 port

Published·Jan 4, 2016Modified·Jun 21, 2017

Nginx is a high-performance HTTP and reverse proxy server, as well as an IMAP/POP3/SMTP server. Increasingly, integrated environments are using Nginx servers, such as Junge's LNMP one-click package, AMH Host Panel, and OneinStack. If you plan to deploy an SSL certificate for your website for security reasons, here is how to proceed.

nginx_580

1. Apply for an SSL Certificate

Both foreign providers like StartSSL and domestic providers like WoTrus offer free SSL certificates, though paid options are also available. For personal blog websites, free certificates are usually sufficient. You can refer to the article: WoTrus Free SSL Certificate Application to apply for a free SSL certificate.

2. Prepare the Environment

Having the certificate is not enough; you also need to set up a web server to host it. As mentioned earlier, LNMP one-click packages, AMH Host Panel, and OneinStack all use Nginx as the web server. Installing any one of these will suffice.

3. Deploy the SSL Certificate

This is the most critical step. First, upload the SSL certificate from Step 1 to a directory on your server. You can use WinSCP upload to upload the .crt and .key files to a directory like /usr/local/nginx/conf/ssl/. Then, locate the host configuration file (usually found in /usr/local/nginx/conf/vhost/xxx.conf) and add the following lines within the server block using the vi editor:

listen 443 ssl;
ssl_certificate /usr/local/nginx/conf/ssl/www_xiaoz_me.crt;
ssl_certificate_key /usr/local/nginx/conf/ssl/www_xiaoz_me.key;

4. Allow Port 443

HTTPS (SSL) requires port 443. If your firewall (iptables) does not allow port 443, your website may become inaccessible. Execute the following commands:

vi /etc/sysconfig/iptables   ## Edit configuration file
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT   ## Allow port 443 through the firewall
/etc/init.d/iptables restart ## Restart firewall

5. Restart the Nginx Server

For Junge's LNMP, enter the command lnmp nginx restart. For AMH, enter amh nginx restart. Additionally, if you are using a StartSSL certificate, restarting Nginx may prompt you to enter the certificate password. Incorrect configuration may cause Nginx to fail to start. Please back up your host configuration file before making changes.

6. Configuration File Example

The following code is an example where both port 80 (HTTP) and port 443 (HTTPS) coexist, for your reference:

server
{
listen 80;
listen 443 ssl;
server_name www.xiaoz.me;
index index.html index.htm index.php;
root /home/wwwroot/www.xiaoz.me/;
#ssl on; Comment this out
ssl_certificate /usr/local/nginx/conf/ssl/www_iamle_com.crt;
ssl_certificate_key /usr/local/nginx/conf/ssl/www_iamle_com.key;
# The following configuration is omitted
}